Skip to content

zenlint/ocitools

 
 

Repository files navigation

ocitools

ocitools is a collection of tools for working with the OCI specification.

Generating OCI spec configuration files

# ocitools generate --help
NAME:
   generate - generate a OCI spec file

USAGE:
   command generate [command options] [arguments...]

OPTIONS:
   --rootfs                                             path to the rootfs
   --read-only                                          make the container's rootfs read-only
   --privileged                                         enabled privileged container settings
   --hostname "acme"                                    hostname value for the container
   --uid "0"                                            uid for the process
   --gid "0"                                            gid for the process
   --groups [--groups option --groups option]           supplementary groups for the process
   --cap-add [--cap-add option --cap-add option]        add capabilities
   --cap-drop [--cap-drop option --cap-drop option]     drop capabilities
   --network                                            network namespace
   --mount                                              mount namespace
   --pid                                                pid namespace
   --ipc                                                ipc namespace
   --uts                                                uts namespace
   --selinux-label                                      process selinux label
   --tmpfs [--tmpfs option --tmpfs option]              mount tmpfs
   --args                                               command to run in the container
   --env [--env option --env option]                    add environment variable
   --mount-cgroups "ro"                                 mount cgroups (rw,ro,no)
   --bind [--bind option --bind option]                 bind mount directories src:dest:(rw,ro)
   --prestart [--prestart option --prestart option]     path to prestart hooks
   --poststop [--poststop option --poststop option]     path to poststop hooks
   --root-propagation                                   mount propagation for root
   --os "linux"                                         operating system the container is created for
   --arch "amd64"                                       architecture the container is created for
   --cwd "/"                                            current working directory for the process
   --uidmappings [--uidmappings option ]                add UIDMappings  e.g HostID:ContainerID:Size
   --gidmappings [--gidmappings option ]                add GIDMappings  e.g HostID:ContainerID:Size
   --apparmor                                           specify the the apparmor profile for the container
   --seccomp-default                                    specify the the defaultaction of Seccomp syscall restrictions
   --seccomp-arch [--seccomp-arch option ]              specify Additional architectures permitted to be used 
                                                         for system calls
   --seccomp-syscalls [--seccomp-syscalls option]       specify syscalls used in Seccomp
                                                        e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op, 
                                                            Arg2_index/Arg2_value/Arg2_valuetwo/Arg2_op

Testing OCI runtimes

$ make
$ sudo make install
$ sudo ./test_runtime.sh -r runc
-----------------------------------------------------------------------------------
VALIDATING RUNTIME: runc
-----------------------------------------------------------------------------------
validating container process
validating capabilities
validating hostname
validating rlimits
validating sysctls
Runtime runc passed validation

Building rootfs.tar.gz

The root filesystem tarball is based on Gentoo's amd64 stage3 (which we check for a valid GnuPG signature), copying a minimal subset to the root filesytem, and adding symlinks for all BusyBox commands. To rebuild the tarball based on a newer stage3, just run:

$ touch get-stage3.sh
$ make rootfs.tar.gz

Getting Gentoo's Release Engineering public key

If make rootfs.tar.gz gives an error like:

gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
gpg: Can't check signature: public key not found

you will need to add the missing public key to your keystore. One way to do that is by asking a keyserver:

$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2D182910

About

OCI Testing Toolset

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 87.9%
  • Shell 8.8%
  • Makefile 3.3%